Blockchain.info - Bitcoin Block explorer & Currency Statistics - page 57.

Newar

legendary

Activity: 1358

Merit: 1001

https://gliph.me/hUF

Quote from: ErebusBat on April 24, 2013, 11:16:29 AM

I just looked on my phone using iExplorer and didn't see anything, can anyone else (Ben) confirm or deny how this actually works?

I found the file as described here: http://www.reddit.com/r/Bitcoin/comments/1czrua/just_lost_160_btc_from_address_managed_with/c9ljtlk
but can not open it (phone editor, laptop editor)

John (John K.)

legendary

Activity: 1288

Merit: 1227

Away on an extended break

Quote from: ?? on ??

Missing "Refresh" and "Logoff" GUI buttons that were in the top right corner previously. Is it just me, or something changed in the GUI?

What, no one else lost Refresh/Logoff buttons, just me? I'm on Chrome, and cleared my browser data recently. Now my buttons disappeared, and I miss them!

I lose the buttons regularly on my small netbook when I use blockchain.info to push tx's through MyWallet. I'm running Chrome too.

ErebusBat

hero member

Activity: 560

Merit: 500

I am the one who knocks

Quote from: bizz on April 24, 2013, 09:07:00 AM

Quote from: ErebusBat on April 24, 2013, 08:31:50 AM

Ben: Has anyone ever reported a theft from BCI while 2FA was enabled on their account?

Today: http://www.reddit.com/r/Bitcoin/comments/1czrua/just_lost_160_btc_from_address_managed_with/

For those that just want the story without the reddit follow through:

Quote

I just had 160 bitcoins stolen by this transaction: https://blockchain.info/tx/5abb271eb6e2d0da1855b06282c84dcf7467dda9da6da9090cad10ddae957fc7
I use the blockchain.info wallet service to manage that address. My password was a random 18 character password with punctuation, upper/lower case etc. I had two-factor authentication with Google Authenticator turned on and a second password on the account that was a random 8 characters.
I had logged into the account with my laptop at home to send a small transaction of 0.937 bitcoins half an hour earlier. I haven't left the house since so no one has had access to my laptop. I'm on WPA2 secured wifi but not using a VPN. Laptop is running Ubuntu. I also have the blockchain.info app on my phone. It doesn't use the 2-factor authentication or the main password but does prompt for the second password.
I'm at a loss. This is my worst fear realized. Anyone have any suggestions? Sad

EDIT: This is a quote from that thread:

Quote

The phone app stores your primary password in plain text, relying on the sandboxing mechanism of the phone OS. And it doesn't support 2-factor. Your secondary 8 character password could be cracked.

I just looked on my phone using iExplorer and didn't see anything, can anyone else (Ben) confirm or deny how this actually works?

Gaff

hero member

Activity: 924

Merit: 502

Quote from: piuk on April 24, 2013, 08:03:26 AM

Changes to Alias Resolving

...Also given the recent scandal with Instawallet URLs being searchable via Google - can you send a one-time-alias URL rather than the real identifier?

Gaff

hero member

Activity: 924

Merit: 502

Quote from: piuk on April 24, 2013, 08:03:26 AM

Changes to Alias Resolving

When a wallet is accessed using an alias if the browser does not already have the wallet identifier saved or have an authorised login session email authorisation will now be required.

If the browser is perviously recognised by blockchain no authorisation is required. Wallet can still be accessed directly by identifier, which provides 128 bits of entropy and should always be kept secret.

For example if you visit my personal wallet: https://blockchain.info/wallet/piuk if will appear as if no wallet exists however I will receive an authorisation email.

A number of users have reported their wallet being compromised to me, the exact cause is unknown (I suspect malware) however in pretty much all cases the user has set a wallet alias which is the same as their bitcointalk username (and used on other sites). This is common practice, however it much more secure if the wallet identifier and alias are kept secret. The above changes are meant to address this problem.

I will respond to the above posts shortly, apologies for the delay.

I like this change - but blockchain.info assumes my email is secure. I don't think this is a great assumption.

Question: Shouldn't 2-factor authentication be sufficient here? If I have the right identifier and I pass the 2-factor check *then* you can send me the encrypted wallet?

bizz

hero member

Activity: 492

Merit: 500

Quote from: ErebusBat on April 24, 2013, 08:31:50 AM

Ben: Has anyone ever reported a theft from BCI while 2FA was enabled on their account?

Today: http://www.reddit.com/r/Bitcoin/comments/1czrua/just_lost_160_btc_from_address_managed_with/

ErebusBat

hero member

Activity: 560

Merit: 500

I am the one who knocks

Quote from: ghostshirt on April 24, 2013, 08:31:22 AM

Hello,

How does Blockchain.info calculate a transaction fee? I've made a 2420-byte transaction and paid 0.0015 BTC, I thought 0.0005 is the norm for Bitcoin network (for now).

It depends on how big (BTC wise) and how old the inputs are.

ErebusBat

hero member

Activity: 560

Merit: 500

I am the one who knocks

Quote from: piuk on April 24, 2013, 08:03:26 AM

A number of users have reported their wallet being compromised to me, the exact cause is unknown (I suspect malware) however in pretty much all cases the user has set a wallet alias which is the same as their bitcointalk username (and used on other sites). This is common practice, however it much more secure if the wallet identifier and alias are kept secret. The above changes are meant to address this problem.

I will respond to the above posts shortly, apologies for the delay.

I love this. I will let you know if I start to get a ton of emails from unknown browsers.

HOWEVER if this is indeed malware targeted at BCI it would be a very trivial task to either just steal the wallet identifier/blob from the browser (we already know they have the password). So we may not see a decline in these reports if this is the cause (however this is still a great feature!). PLEASE ENABLE TWO FACTOR AUTHENTICATION PEOPLE!

Ben: Has anyone ever reported a theft from BCI while 2FA was enabled on their account?

ghostshirt

full member

Activity: 216

Merit: 100

Hello,

How does Blockchain.info calculate a transaction fee? I've made a 2420-byte transaction and paid 0.0015 BTC, I thought 0.0005 is the norm for Bitcoin network (for now).

piuk

hero member

Activity: 910

Merit: 1005

Changes to Alias Resolving

When a wallet is accessed using an alias if the browser does not already have the wallet identifier saved or have an authorised login session email authorisation will now be required.

If the browser is perviously recognised by blockchain no authorisation is required. Wallets can still be accessed directly by identifier, which provides 128 bits of entropy and should always be kept secret.

For example if you visit my personal wallet: https://blockchain.info/wallet/piuk if will appear as if no wallet exists however I will receive an authorisation email.

A number of users have reported their wallet being compromised to me, the exact cause is unknown (I suspect malware) however in pretty much all cases the user has set a wallet alias which is the same as their bitcointalk username (and used on other sites). This is common practice, however it much more secure if the wallet identifier and alias are kept secret. The above changes are meant to address this problem.

I will respond to the above posts shortly, apologies for the delay.

hazek

legendary

Activity: 1078

Merit: 1003

I was just suggested to pay a 0.005 fee by the blockchain app. The app is really great however I really miss the option to enter a specific fee. The choice right now seems to be to either not pay anything or to pay what the app suggests..

willphase

hero member

Activity: 767

Merit: 500

Quote from: willphase on April 18, 2013, 08:42:52 AM

Piuk, can you comment on the Amazon S3 backup regime for deleted private keys - i.e. if I were to upload a private key and then later on delete it - are old copies of the encrypted wallet file still stored on S3 - and if so, for how long?

Regards,

Will

piuk - I wondered if you had a moment to answer my question about the S3 backups...?

Will

John (John K.)

legendary

Activity: 1288

Merit: 1227

Away on an extended break

Quote from: piuk on April 23, 2013, 10:59:39 AM

Any problems with the site please check twitter as https://twitter.com/blockchain as a first port of call.

Okay, thanks.

piuk

hero member

Activity: 910

Merit: 1005

Any problems with the site please check twitter as https://twitter.com/blockchain as a first port of call.

Trillian

newbie

Activity: 23

Merit: 0

Yup, latest transaction shown is now 15 mins old. Can't login to my wallet.

John (John K.)

legendary

Activity: 1288

Merit: 1227

Away on an extended break

PS: The site's having problems again:

Code:

Got error 157 'Unknown error code' from NDBCLUSTER

ErebusBat

hero member

Activity: 560

Merit: 500

I am the one who knocks

Quote from: Timbo925 on April 21, 2013, 08:02:03 AM

Quote from: whiskers75 on April 21, 2013, 06:04:56 AM

Put a warning up about enabling 2 factor auth - I lost 1.2 BTC due to a "It would take a desktop PC about 175 years to crack your password" password. (http://howsecureismypassword.net)

Dont test your password at these kind of sites. Just plain stupid to enter it somewhere online to test the strengt ...

I would trust https://www.grc.com/haystack.htm

internationalaw

member

Activity: 78

Merit: 10

Community Manager at Letstalkbitcoin.com

Thanks for the reset piuk!!!!!!

rme

hero member

Activity: 756

Merit: 504

Please Blockchain.info redirect HTTP to HTTPS always like Bitcointalk and MtGox do.
Also in the wallet login page warn users to check the green bar in the url.

rme

hero member

Activity: 756

Merit: 504

Quote from: Timbo925 on April 21, 2013, 08:02:03 AM

Quote from: whiskers75 on April 21, 2013, 06:04:56 AM

Put a warning up about enabling 2 factor auth - I lost 1.2 BTC due to a "It would take a desktop PC about 175 years to crack your password" password. (http://howsecureismypassword.net)

Dont test your password at these kind of sites. Just plain stupid to enter it somewhere online to test the strengt ...

The website uses only Javascript.

Topic: Blockchain.info - Bitcoin Block explorer & Currency Statistics - page 57. (Read 482537 times)